Question 1

What is SPF and why does it matter for cold email?

Accepted Answer

SPF (Sender Policy Framework) is a DNS record that tells inbox providers which mail servers are authorized to send email on behalf of your domain. Without a correct SPF record, Gmail, Outlook, and Yahoo treat your emails as potentially forged — dramatically increasing the chance of spam placement. For cold email specifically, SPF failure is one of the fastest paths to a blacklisted domain, because sending to thousands of cold prospects amplifies any authentication gap into a large reputation signal.

Question 2

What is DKIM and how does Mailflo set it up?

Accepted Answer

DKIM (DomainKeys Identified Mail) is a cryptographic signature added to every email you send, allowing the receiving mail server to verify that the email was actually sent by your domain and hasn't been tampered with in transit. Setup requires generating a public/private key pair, publishing the public key as a DNS TXT record (the DKIM selector), and enabling signing in your email platform. Mailflo generates 2048-bit DKIM keys for every sending domain, publishes the selector records, activates signing in your email platform (Google Workspace, Microsoft 365, or your ESP), and monitors selectors continuously for key drift or deactivation.

Question 3

What is DMARC and what policy should I start with?

Accepted Answer

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy record that tells receiving mail servers what to do when an email fails SPF or DKIM alignment. It also generates aggregate reports showing which servers are sending email on behalf of your domain. The correct starting policy is p=none — this reports failures without blocking any email, giving you visibility into your sending landscape before you enforce anything. Mailflo implements a phased rollout: p=none first, then p=quarantine once all legitimate senders are authenticated, then p=reject for full enforcement. Jumping directly to p=reject without this process commonly breaks legitimate email flows.

Question 4

Why do authentication records drift after initial setup?

Accepted Answer

DNS records change for many reasons: a DNS provider migration, a new email tool added to the stack, a provider rotating DKIM keys, a new sending service that needs to be added to your SPF record, or a team member making a DNS change that inadvertently breaks existing records. Without continuous monitoring, these changes are invisible until you notice inbox rates collapsing. Mailflo monitors all authentication records across all your sending domains continuously, alerting you immediately when any record changes or fails validation — and auto-repairing records that drift within defined parameters.

Question 5

Do I need separate SPF, DKIM, and DMARC records for each sending domain?

Accepted Answer

Yes. Email authentication is per-domain, not per-company. Every secondary sending domain you use for cold email needs its own complete SPF record, its own DKIM selector, and its own DMARC policy. Since February 2024, Google and Yahoo require full authentication for bulk senders — and these requirements apply to your secondary cold email domains exactly as they apply to your primary domain. Microsoft enforced the same requirements in May 2025. Teams running 10, 20, or 50 sending domains need all of them properly configured and monitored — which is exactly the operational challenge Mailflo handles.

Question 6

What's the difference between DMARC p=none, p=quarantine, and p=reject?

Accepted Answer

p=none means: report failures but take no action. Email that fails DMARC alignment is still delivered normally. Use this phase to map all legitimate sending sources before you start enforcing anything. p=quarantine means: send failing emails to the spam folder. Use this once all legitimate senders are properly authenticated and visible in your DMARC reports. p=reject means: reject failing emails outright — the email never reaches the recipient. This is the strongest protection against domain spoofing and is the end goal for mature domains. The standard timeline is 30–60 days at p=none, 30 days at p=quarantine, then p=reject once reports are clean.

Question 7

Does Mailflo configure authentication for both Google Workspace and Microsoft 365?

Accepted Answer

Yes. The setup process differs between providers — Google Workspace DKIM is managed through the Admin Console's Gmail settings, while Microsoft 365 DKIM requires CNAME selectors activated through the Exchange admin center. Mailflo handles the complete authentication stack for both environments: correct SPF includes for each provider's sending ranges, DKIM activated through the appropriate admin panel, and a unified DMARC policy covering all sending domains regardless of which provider they run on.

SPF, DKIM & DMARC — configured and monitored for you.

Why authentication breaks — even when you think it's set up

One wrong DNS record breaks authentication silently

DMARC misconfiguration exposes your domain to spoofing

Authentication records drift without anyone noticing

Sending across 10+ domains means 30+ records to maintain

Everything included in your authentication setup

SPF Record Setup & Management

DKIM Key Generation & Publishing

DMARC Policy Configuration

DMARC Report Monitoring

DNS Record Validation & Auto-Repair

Authentication Audit & Remediation

From broken to bulletproof in 4 steps

Audit

Configure

Monitor

Enforce

Authentication is the foundation — build the full stack

Cold Email Infrastructure

Email Deliverability Services

Google Workspace Setup

Microsoft 365 Setup

Frequently asked questions

Get your authentication fixed this week.

Done-for-you SPF, DKIM & DMARC — for every sending domain.